Docker OpenWrt Image: Difference between revisions

← Older edit

Docker OpenWrt Image (view source)

Revision as of 06:51, 12 March 2019

1,620 bytes added , 12 March 2019

→‎雑多なメモ

Nxhack

Bots, Bureaucrats, Administrators

7,275

edits

Revision as of 05:50, 28 December 2018 (view source) Nxhack (talk \| contribs) (→‎Docker OpenWrt Image) ← Older edit		Latest revision as of 06:51, 12 March 2019 (view source) Nxhack (talk \| contribs) (→‎雑多なメモ)
(26 intermediate revisions by the same user not shown)
=Docker OpenWrt Image= ==はじめの第一歩== <syntaxhighlight lang="bash" enclose="div"> docker import https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-rootfs.tar.gz openwrt-x86-64-generic-rootfs docker images docker run --rm -i openwrt-x86-64-generic-rootfs cat /etc/banner docker run --rm -i -t openwrt-x86-64-generic-rootfs /bin/ash </syntaxhighlight> ==つかえる OpenWrt 環境構築== <syntaxhighlight lang="bash" enclose="div">▼ Head はいろいろ問題点があったりするのでリリース版で ~~mkdir /var/lock~~ </syntaxhighlight>▼ <syntaxhighlight lang="bash" enclose="div"> ~~docker build -t~~wget https://downloads.openwrt.org/releases/18.06.1/targets/x86/64/openwrt-18.06.1-x86-64-generic-rootfs~~:latest~~ .tar.gz docker run -d --device /dev/kmsg --tmpfs /tmp --cap-add NET_ADMIN openwrt-18.06.1-x86-64-generic-rootfs:latest▼ </syntaxhighlight> Dockerfile: <syntaxhighlight lang="bash" enclose="div">▼ <syntaxhighlight lang="text" enclose="div"> docker exec -it CONTAINER /bin/ash▼ FROM scratch ADD ./openwrt-18.06.1-x86-64-generic-rootfs.tar.gz / EXPOSE 80 443 22 ADD network /etc/config/network USER root CMD ["/sbin/init"] </syntaxhighlight> network: <syntaxhighlight lang="text" enclose="div"> ~~onfig~~config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' ~~config globals 'globals'~~ ~~option ula_prefix 'fd86:34c8:f9e4::/48'~~ config interface 'lan' option ipaddr '172.17.0.2' option netmask '255.255.0.0' option ~~ip6assign~~gateway '60172.17.0.1' option ~~gateway~~delegate '~~172.17.~~0.1' ▲</syntaxhighlight> ▲<syntaxhighlight lang="bash" enclose="div"> docker build -t openwrt-18.06.1-x86-64-generic-rootfs:latest . ▲docker run -d --name openwrt --device /dev/kmsg --tmpfs /tmp --cap-add NET_ADMIN -p 8822:22 -p 8880:80 openwrt-18.06.1-x86-64-generic-rootfs:latest ▲docker exec -it ~~CONTAINER~~openwrt /bin/ash </syntaxhighlight> ▲<syntaxhighlight lang="bash" enclose="div"> docker exec -it openwrt uci set network.lan.ipaddr='`docker inspect --format="{{ .NetworkSettings.IPAddress }}" openwrt`' docker exec -it openwrt uci commit docker exec -it openwrt /etc/init.d/odhcpd disable docker exec -it openwrt /etc/init.d/dnsmasq disable docker exec -it openwrt /etc/init.d/sysntpd disable docker restart openwrt </syntaxhighlight> ==雑多なメモ== OpenWrt Head で IPv4 only の環境で docker 配下で動かすとなぜか wget が IPv6 でバインドしようとして 'Failed to establish connection' ネットワークの設定も間違いがないのがだ、IPv6 で bind しにいく。もちろん wget -4 では正常。uclient-fetch が wget の正体。ホストOS側で完全にIPv6を停止すれば大丈夫だが。強引な解決法 <syntaxhighlight lang="bash" enclose="div"> mv /bin/wget /bin/wget.orig cat <<EOF > /bin/wget #/bin/ash /bin/wget.orig -4 \$* EOF chmod +x /bin/wget </syntaxhighlight> ==security== ホストで制限したほうがよさそう <syntaxhighlight lang="bash" enclose="div"> sudo sysctl -w kernel.dmesg_restrict=1 sudo sysctl -w kernel.kptr_restrict=1 sudo sysctl -w kernel.yama.ptrace_scope=0 </syntaxhighlight>